Internet-facing servers are accessible to people anywhere in the world who have Internet access, and these servers are often targets of attacks. They include web servers, email servers, File Transfer Protocol (FTP) servers, and more. If a server has a public IP address, it is a potential target for hacker attack. Firewalls also protect internal clients by providing a layer of protection to limit the ability of attackers to exploit system weaknesses—both hardware and software.

Imagine an organization that sells products over the Internet and processes payment card transactions. Customers insist that the merchant protect their payment card data. To do this, organizations need to address two distinct security areas:

• Network security—Computers, hard disks, databases, and other computer equipment attached directly or indirectly to the Internet need protection. Firewalls serve an important role in this aspect of network security.
• Transaction security—Web servers must be able to securely complete private transactions with other entities in databases accessible on the Internet. Hypertext Transfer Protocol Secure (HTTPS) is an important tool used to encrypt the transactions. Additionally, firewalls provide protection for the data. For example, it is common to locate a web server behind one firewall. The database server is behind a second firewall that restricts access to the database to only the web server. In this scenario, the area where the web server operates is called a demilitarized zone (DMZ).

Network security and transaction security have four overlapping types of risk:

• Unauthorized individuals can breach the server’s document tree—Depending on what data resides on the server, this threat can compromise the confidentiality of documents stored there.
• Transaction data can be intercepted—This threat can include personal data, financial data, or payment card information.
• Information about the server can be accessed—If attackers learn details about the server, such as the type of server and its operating system (OS), they may be able to identify and exploit its known vulnerabilities.
• Denial of service (DoS) attacks can occur—Many different types of DoS attacks are possible, such as when a TCP handshake attack does not conclude and holds the communication channel open. Hundreds of these incomplete sessions in a short time can consume substantial resources on a server and even crash it.

If your organization conducts business on the Internet, you need to take steps to protect those transactions. E-commerce requires a zero tolerance for failure. Protection is not optional; it is required.

It is more difficult to preserve a user’s privacy on the Internet than in the physical world. Usually, you can close your door when seeking privacy or whisper something so that others cannot hear you. But the digital era has changed things. There is no such thing as whispering on the Internet.

When data is sent or received by a user surfing the Internet, that information can be intercepted and collected. Much of this data is stored in databases and can be made available for sale to others. Data mining methods are then used to help build customer preference profiles. From the perspective of an organization selling products, this data is valuable for identifying an individual’s buying habits and targeting advertising. However, this data can be easily misused.

The Electronic Privacy Information Center (EPIC) was established in 1994, in Washington, DC. Its goal is to alert the public to emerging privacy issues relating to the National Information Infrastructure (NII), such as the Digital Telephony Proposal, medical record privacy, and the sale of consumer data. EPIC’s mission is to preserve the right of privacy in the electronic age, as well as to give individuals greater control over personal information and to encourage the development of new technologies that protect privacy rights. EPIC can provide valuable information to IT professionals on emerging cyber laws and other privacy threats.

The California Consumer Privacy Act (CCPA), which went into effect in January 2020, requires companies to protect the consumer information they hold, and it stipulates minimum damages for class action suits in response to data breaches. The requirement to “implement and maintain reasonable security procedures and practices” often includes keeping sensitive information in a database behind a firewall and restricting access to the database.

Preserving privacy on a corporate network may require more stringent security if you have users accessing resources from all over the world. Administrators are responsible for setting up security policies to guarantee users’ privacy, and each user accessing the company’s network is responsible for browsing the web with ethical regard for others. They also should be aware of information they may reveal while accessing resources from outside the network.

Typically, most network servers (and web servers) log all the hits (connections) received. This log usually includes the IP address and/or the host name of the computer making the request. If the site uses any form of authentication, the server will also log the username. If the user filled out any form during the session, all of the values of any variable from that form are also recorded. The status of the request, the size of data packets transmitted, the user’s email address, and so on can also be logged. Moreover, web servers can make all of this information available to Common Gateway Interface (CGI) scripts. Because the majority of web browsers are running on single-user PCs, very likely all of the transactions can be attributed to the individual using the PC.

Revealing any of this information can harm the user. This is especially true if the user has logged any PII. Attackers can use PII for identity theft. Some PII may allow an attacker to access bank accounts or fraudulently charge payment cards. As a subtler example, if a user researches a job opening opportunity at a site, it may indicate that the user is searching for a new job. Browser lists, hotlists, and caches can also reveal certain patterns about the user. A proxy server, for instance, will track every connection outside the network on the Internet by IP address and the URL requested. If you install a proxy server within an organization, data stored on it needs to be protected so that only authorized individuals have access to it.